NYCPHP Meetup

NYPHP.org

[joomla] New Joomla release 1.5.13: Joomla! Security News

Stephen Burge steve at joomlatraining.com
Thu Jul 23 10:56:57 EDT 2009 

I believe there's a couple of bugs with the 1.5.13 release:
http://forum.joomla.org/viewtopic.php?f=430&t=423159

Might be good to hold off for 24 / 48 hours before updating. The Bug 
Squad is apparently busy getting the fixes ready.

Steve



Mitch Pirtle wrote:
> Thanks Donna, I missed this totally in my avalanche of work and deadlines.
>
> -- Mitch
>
> On Thu, Jul 23, 2009 at 8:38 AM, Donna Marie
> Vincent<donnamarievincent at yahoo.com> wrote:
>   
>> Joomla! Security News
>>
>> ________________________________
>>
>> [20090722] - Core - Missing JEXEC Check
>>
>> Posted: 22 Jul 2009 04:36 PM PDT
>>
>> Project: Joomla!
>> SubProject: Framework
>> Severity: Moderate
>> Versions: 1.5.12 and all previous 1.5 releases
>> Exploit type: XSS
>> Reported Date: 2009-July-21
>> Fixed Date: 2009-July-22
>>
>> Description
>>
>> Some files were missing the check for JEXEC.  These scripts will then expose
>> internal path information of the host.
>>
>> Affected Installs
>>
>> All 1.5.x installs prior to and including 1.5.12 are affected.
>>
>> Solution
>>
>> Upgrade to latest Joomla! version (1.5.13 or newer).
>>
>> Reported by Juan Galiana Lara (Internet Security Auditors)
>>
>> Contact
>>
>> The JSST at the Joomla! Security Center.
>>
>> [20090722] - Core - File Upload
>>
>> Posted: 22 Jul 2009 04:17 PM PDT
>>
>> Project: Joomla!
>> SubProject: TinyMCE editor
>> Severity: Critical
>> Versions: 1.5.12
>> Exploit type: Image File upload
>> Reported Date: 2009-July-22
>> Fixed Date: 2009-July-22
>>
>> Description
>>
>> Tiny browser included with TinyMCE 3.0 editor allowed files to be uploaded
>> and removed without logging in.
>>
>> Affected Installs
>>
>> Version 1.5.12 only
>>
>> Solution
>>
>> Upgrade to latest Joomla! version (1.5.13 or newer).
>>
>> Reported by Patrice Lazareff.
>>
>> Contact
>>
>> The JSST at the Joomla! Security Center.
>>
>> You are subscribed to email updates from Joomla! Developer - Vulnerability
>> News
>> To stop receiving these emails, you may unsubscribe now.Email delivery
>> powered by Google
>> Google Inc., 20 West Kinzie, Chicago IL USA 60610
>> _______________________________________________
>> New York PHP SIG: Joomla! Mailing List
>> http://lists.nyphp.org/mailman/listinfo/joomla
>>
>> NYPHPCon 2006 Presentations Online
>> http://www.nyphpcon.com
>>
>> Show Your Participation in New York PHP
>> http://www.nyphp.org/show_participation.php
>>
>>     
> _______________________________________________
> New York PHP SIG: Joomla! Mailing List
> http://lists.nyphp.org/mailman/listinfo/joomla
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php

More information about the Joomla mailing list